Toymaker VTech hit by largest-ever hack targeting kids

The data breach at toymaker VTech is growing more serious. BOSTON/HONG KONG • Some state authorities in the US say they will investigate a massive breach at digital toymaker VTech Holdings, as security experts warn that hackers are likely to target similar companies that handle customer data.

HONG KONG — VTech Holdings is working with regulators in Hong Kong after a hacking attack at the maker of electronic toys and computer tablets compromised the privacy of millions of children and parents.Children’s technology maker VTech says the personal information of about five million of its customers and their children may have been stolen by hackers. (Handout/VTech) VTech is the world’s largest maker of cordless phones.

On Tuesday, the company disclosed that in addition to the 4.9 million parent accounts accessed by hackers, the company confirmed that nearly 6.4 million children were also swept up in the breach. The Connecticut and Illinois attorneys-general on Monday said they would probe the breaches, though their representatives declined comment on the focus of their inquiries. The Hong Kong-based firm initially disclosed the attack on Friday, and said hackers took data of nearly 5 million adults, but it did not disclose how many children’s profiles were accessed.

The hackers also obtained children’s photos and chat records from VTech’s Kid Connect service, which allows adults to use their smartphones to chat with kids using VTech tablets, reported technology blog Motherboard. People unwittingly trusting their personal information in a company that wasn’t equipped to handle it.” The company’s statement said the children’s profiles included only name, gender and birth date. Stolen data on their parents included name, mailing address, email address, secret question and answer for password retrieval, IP address, mailing address, download history and encrypted password. This week, they confirmed that the breach involved more than five million accounts, belonging to parents and kids, including information from Canadian customers.

The largest number customers whose data was accessed were in the United States, followed by France, the United Kingdom, Germany, Canada, Spain, Belgium and the Netherlands. In this case, the alleged hacker— who contacted Vice’s Motherboard and provided to a reporter information taken from the hack — has said that “nothing” will be done with the information, apart it being used to reveal the company’s weaknesses. “Frankly, it makes me sick that I was able to get all this stuff,” the alleged hacker told Vice reporter Lorenzo Franceschi-Bicchierai. “VTech should have the book thrown at them.” Vice’s Motherboard, which was the first to alert VTech to the breach, has also reported that the hacker was able to access profile pictures of children as well as chat logs between kids and their parents. The perpetrators could use the information to access social media profiles or to target children online, said Mr Bryce Boland, Asia chief technology officer for FireEye. “It may be that this data theft is only the tip of the iceberg,” he said in an e-mail. “Until there is a thorough forensic investigation, they won’t know if they can still be sucker-punched in cyberspace. But for customer accounts — the kind of account a parent would set up — the database includes a lot of information, including names, email addresses, passwords, password reset questions and answers, IP addresses, mailing addresses, and the download history for an account.

VTech acknowledged those reports but said it had not confirmed them, though it did say its security measures should have been stronger. “Regretfully our database was not as secure as it should have been,” the company said in a statement. “Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks.” Toymakers have bet big on connected and smart toys, and the incorporation of technology has prompted analysts to project this could be the industry’s best year in a decade. Hong Kong Privacy Commissioner for Personal Data Stephen Wong said his office had initiated a “compliance check” to see if VTech had followed data privacy principles. The horse may have bolted, but that doesn’t mean the hacker didn’t move from the barn to the house.” Hackers accessed five million customer accounts through VTech’s Learning Lodge database, where users download applications, learning games and e-books.

Avner Levin, director of the Privacy and Cybercrime Institute at Ryerson University, says this breach is different because it involves kids’ information — and it raises some questions about parents’ responsibility. Some experts say they expect to see more breaches involving data collected through digital toys and other Web-connected devices, a category of products known as the Internet of Things. “You have all these devices and services that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data,” said Ms Katie Moussouris, chief policy officer with HackerOne, which helps businesses find cyber bugs.

Activist group Campaign for a Commercial-Free Childhood has raised the privacy risks of the high- tech “Hello Barbie” doll unveiled earlier this year by toy giant Mattel. The company announced Monday that hackers may have accessed personal data of five million customers. (Handout/Canadian Press) “You really have to watch out and not sort of jump into all of these neat little ideas, of creating like neat little kiddie accounts. Stop and think — is that what you want to do?” he said. “You’re creating these digital footprints for your kids that are going to go and accompany them throughout life. But ToyTalk, Mattel’s technology partner, in a blog post last week pointed to the “many safety features that have been integrated” into the design of Hello Barbie. Mr Larry Salibra, chief executive of bug-testing platform provider Pay4Bugs, said that it looks like VTech failed to properly secure sensitive data by encrypting it to be difficult to unscramble and useless if stolen.

In a post on his website, Troy Hunt, the security researcher who helped verify the VTech breach, said the company had some alarming security practices. Avner Levin, who is both a parent and a security researcher, says if your child is going to have an online account or profile, a little obfuscation is in order. “Change the age, change the gender, change the name, change whatever you can so that you don’t actually have a record of your child online with their real information that can then be stolen and used,” he said.